Cookie Utility

The YUI Cookie utility provides a simple API for interacting with cookies, including the creation and manipulation of subcookies.

Note about HTTPOnly Cookies: HTTPOnly cookies are cookies that may be set either by JavaScript or by the server but cannot be read from JavaScript. The YUI Cookie utility does not provide support for setting HTTPOnly cookies because browser support is not well-established and there is no fallback mechanism. Setting an HTTPOnly cookie on a browser that doesn't support it is the same as setting any other cookie (no error is thrown). When all A-grade browsers support setting HTTPOnly cookies by JavaScript, we will revisit adding support for it in the Cookie utility.

Getting Started

To include the source files for Cookie Utility and its dependencies, first load
the YUI seed file if you haven't already loaded it.

Next, create a new YUI instance for your application and populate it with the
modules you need by specifying them as arguments to the YUI().use() method.
YUI will automatically load any dependencies required by the modules you
specify.

By providing an "expires" option in the third argument, the cookie persists until the given date. In this example,
the cookie will remain until January 12, 2025. The value for "expires" must be a Date object, otherwise
it is ignored.

It's possible to restrict access to a cookie by setting path and/or domain information. Setting a path on the cookie restricts access to pages that match that path; setting a domain restricts access to pages on a given domain (typically used to allow cookie access across subdomains). Both options can be easily set using the "path" and "domain" options:

In this example, a cookie is created that can be accessed from all pages on a yahoo.com subdomain. This cookie would
then be accessible from pages on sports.yahoo.com as well as www.yahoo.com.
The "path" and "domain" options need not be used together; they may be used independently as well.

The last option is "secure", which indicates that the cookie should only be accessible via SSL on a page
using the HTTPS protocol. All other aspects of the cookie remain the same based on the other options provided. To set a
secure cookie, use the "secure" option:

This code creates a secure cookie by setting the "secure" option to true. Note that this will only work if the page calling this code uses the HTTPS protocol, otherwise the cookie will be created with default options.

There is one more option called "raw". When this option is specified, the cookie will not be URL-encoded before being set. Setting a "raw" cookie typically means that you have specialized server-side logic to deal with cookies that aren't URL-encoded. This is considered an advanced option that should only be used when necessary. Example usage:

This example retrieves the cookie called "name" and stores its value in the variable value. By default, values returned by get() are strings (if the cookie exists) or null (if the cookie doesn't exist). You can change the return value by providing a conversion function as the second argument. For example, to return a number, you can pass in the native Number() function:

In this code, the returned cookie value will be a number if the cookie exists (it will still be null if the cookie doesn't exist). Other native functions that convert values are Boolean() and Date, or you can define your own conversion function:

Conversion functions accept a single argument, the string value of the cookie, and must return a value. In this example, the conversion function expects a hexadecimal code to be returned and passes it into parseInt() to convert the value into a number. Note that the conversion function is never called if the cookie doesn't exist (get() always returns null when the cookie doesn't exist).

The second argument can optionally be an object if you'd like to read a raw cookie. As with, writing cookies, it's possible to read a cookie without URL-decoding the value. To specify this, the second argument should be an object, such as:

Deleting Cookies

When a cookie is no longer need, it can be removed from the browser by calling the remove() method. This method takes two arguments: the name of the cookie to remove and an optional cookie options object. A cookie created with specific options can only be deleted by specifying the same options. For instance, a cookie created with a domain property of "yahoo.com" can only be deleted by also specifying the domain property as "yahoo.com". Examples:

Subcookies

Each browser has a limit to the number of cookies that can be set per domain. These limits can be problematic for domains with different sites under different subdomains. Since cookie name-value pairs are rarely large enough to reach the byte limit for an individual cookie, it represents an opportunity to store multiple name-value pairs in a single cookie; these are called subcookies.

A subcookie string looks similar to a URL and takes the following form:

cookiename=name1=value1&name2=value2&name3=value3

The Cookie utility supports this style of subcookies to allow multiple values to be stored in a single cookie. To set a subcookie value, use the setSub() method. This method accepts four arguments: the cookie name, the subcookie name, the subcookie value, and an optional options object. Note that the options object works on the entire cookie, it is not specific to the subcookie.

// Create a YUI instance and use the cookie module.
YUI().use('cookie', function(Y){
//set a cookie named "name" with a subcookie named "subname" whose value is "value"
Y.Cookie.setSub("name", "subname", "value");
//set a second subcookie on "name", with a name of "subname2" and a value of "value2"
Y.Cookie.setSub("name", "subname2", "value2");
//set subcookie on the "yahoo.com" domain
Y.Cookie.setSub("info", "age", 22, { domain: "yahoo.com" });
//set subcookie to a secure cookie named "user"
Y.Cookie.setSub("user", "name", "ace123", { secure:true });
});

It's possible to set the entire contents of a subcookie by using the setSubs() method, which accepts three arguments:
the name of the cookie, and object containing name-value pairs, and an optional cookie options object. For instance, this code
sets three subcookies at once:

Note that calls to setSubs() will always completely overwrite the cookie.

To retrieve subcookie values, there are two methods. The first is getSub(), which retrieves a single subcookie value.
This method accepts three arguments: the cookie name, the subcookie name, and an optional converter function. As with get(),
the converter function changes the data or type of data retrieved from the cookie before it's returned (and isn't called at all
if the cookie or subcookie doesn't exist):

The second method to retrieve subcookies is getSubs(), which retrieves all subcookies and returns an object
with name-value pairs for each subcookie. The getSubs() method takes a single argument, the name of the cookie
containing subcookies to retrieve. The returned value is either an object or null if the cookie doesn't exist.

Removing subcookies is accomplished using the removeSub() method. This method accepts three arguments: the cookie name, the subcookie name, and an optional cookie options object. The options object, if specified, must have the same options
as when the cookie was originally created. Example: